Software defined networks (SDNs) have gained great favor in recent years, but continue to present security issues. Generally, they can be vulnerable to attacks from compromised controllers, switches and end hosts. For instance, while it is often assumed that a SDN controller does not exist in the data plane but in a secure, hardened out-of-band network, they often are not so located. Compromised, misconfigured controller nodes can propagate and trigger cascading network failures, while malicious nodes can send malformed or forged packets to corrupt routing tables or create network outages.
Generally, a SDN controller is decentralized. A clustered SDN controller can be fault-tolerant but still largely insecure. At the same time, security features for SDN controllers often present as merely optional, and even these may not be fully suitable. For instance, TLS (transport layer security) communication can be provided between switch and controller but even here, several types of attack are still possible. Also, attacks afflicting traditional networks can affect SDNs as well, and SDNs may be particularly vulnerable here; traditional defenses may not always work in SDNs, while SDN switches generally serve as mere forwarding entities without intelligence.